Trusted extensions-gdansk-v1 0


Published on

Trusted Extensions Security Solution

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Trusted extensions-gdansk-v1 0

  1. 1. Implementing Trusted Extensions Kevin Mayo CTO Global Government Sun Microsystems
  2. 2. What is Solaris Trusted Extensions? • An extension of the Solaris 10 security foundation providing access control policies based on the sensitivity/label of objects • A set of additional software packages added to a standard Solaris 10 system. • A set of label-aware services which implement multilevel security • A secure design to meet the Government set of security standards
  3. 3. Secure S10 Foundation Solaris 10 Security Digital Certificates Everywhere Secure Execution* User Rights Management Process Rights Management Cryptographic Framework IPFilter Kerberos Single Sign On Secure By Default * Coming in future update
  4. 4. Network Protection • IP Filter firewall > Sun supported stateful firewall > Allows selective access to ports based on IP addr. > Compatible/manageable like open source IPF • TCP Wrappers > Limit access to TCP/UDP service by domain name • Limiting Networking Services > Reduced Networking MetaCluster – Ultra small Solaris > Generic Limited Networking Service Profile > Will be enhanced in Solaris 10 update to include better 'out-ofthe-box' security, full function desktop and no exposed network svcs
  5. 5. Cryptographic Framework ● ● Extensible cryptographic interfaces. > A common kernel and user-land framework for providing and using cryptographic functionality. > A common interface for cryptographic functions whether completed in hardware or software. > Extensible framework for vendors to provide custom functionality. By default, supports major algorithms. > Encryption: AES, RC4, DES, 3DES, RSA > Hashing: MD5, SHA-1 > MAC: DES MAC, MD5 HMAC, SHA-1 HMAC > Optimized for both SPARC, Intel and AMD
  6. 6. Remote Access and Auditing • Solaris Secure Shell > Standards-based encrypted remote access • Kerberos Single Sign On > Standards-based enterprise single sign on > Optional encryption of NFSv3 and NFSv4 file shares • IPSec/IKE > Transparently encrypted communications • Auditing of activities > Audit records for all activities track users and roles > Output in XML format for parsing and analyzing > Centralized auditing and per-container audits
  7. 7. User Access and Rights • User Rights Management > Roles defined with specific commands and authorizations they can perform > Users associated with roles. All audit logs record specific user and what role they were in at the time > Roles and non-logins can be used for system services • Password Management > New password capabilities prevent easily guessed or reused passwords and provide account lockout > Pluggable Authentication Modules for expansion
  8. 8. Zones Example • Highly secure • Invisible to each other • Very efficient • No performance penalty • Separated file systems • 8,000 per OS instance • Resource mgmt globally and per container
  9. 9. File Integrity and Secure Execution • BART – Basic Audit and Reporting Tool > Checksums compared periodically against known good list of files that customer generates > Can be used with Sun-supplied Fingerprint Database • Solaris Secure Execution* > Almost all applications are signed in Solaris 10 > Sys-admins can manually verify them today > Future update will verify integrity at load time >Customers can sign their own files, or 3rd party >Can customize EXACTLY which apps can be run on whole system, preventing ANY unauthorized app from running
  10. 10. Encrypted File Systems • Loopback-based > One physical file on disk, contents encrypted > Mounted as file system via loopback > No application modification required > Works with NFS & local file sharing > Early update of Solaris 10 • ZFS Module for Encryption > ZFS offers modular structure for enhancements > Would encrypt a full ZFS file system on disk > No application modification required > All other aspects of management preserved > Sometime after ZFS is released in Solaris update
  11. 11. Solaris 10 Privileges “contract_event” Request reliable delivery of events “contract_observer” users "cpc_cpu” "dtrace_kernel" "dtrace_proc" "dtrace_user" "file_chown" "file_chown_self" "file_dac_execute" "file_dac_read" "file_dac_search" "file_dac_write" perms "file_link_any" "file_owner" ops "file_setid" "ipc_dac_read" Mem perms "ipc_dac_write" Mem perms "ipc_owner" "net_icmpaccess" "net_privaddr" (<1023+extras) "net_rawaccess” "proc_audit” "proc_chroot” Observe contract events for other Access to per-CPU perf counters DTrace kernel tracing DTrace process-level tracing DTrace user-level tracing Change file's owner/group IDs Give away (chown) files Override file's execute perms Override file's read perms Override dir's search perms Override (non-root) file's write Create hard links to diff uid files Non-owner can do misc owner Set uid/gid (non-root) to diff id Override read on IPC, Shared Override write on IPC, Shared Override set perms/owner on IPC Send/Receive ICMP packets Bind to privilege port Raw access to IP Generate audit records Change root "proc_lock_memory" "proc_owner" "proc_priocntl" "proc_session" process "proc_setid" "proc_taskid" “proc_zone” zones “sys_acct” (acct) “sys_admin (node/domain name) "sys_audit" "sys_config" "sys_devices" (exclusive) "sys_ipc_config" "sys_linkdir" "sys_mount" "sys_net_config" interfaces,routes,stack "sys_nfs" "sys_res_config" "sys_resource" "sys_suser_compat" "sys_time" Lock pages in physical memory See/modify other process states Increase priority/sched class Signal/trace other session Set process UID Assign new task ID Signal/trace processes in other Manage accounting system System admin tasks Control audit system Manage swap Override device restricts Increase IPC queue Link/unlink directories Filesystem admin (mount,quota) Config net Bind NFS ports and use syscalls Admin processor sets, res pools Modify res limits (rlimit) 3rd party modules use of suser Change system time
  12. 12. Kerberos and Secure Shell ● ● Kerberos Enhancements ● MIT Kerberos 1.3.2 Refresh ● KDC Incremental Propagation ● Migration Tools ● Kerberized network clients (telnet, rcmds, etc.) ● Interoperability Fixes Secure Shell Enhancements ● OpenSSH 3.6p2 Refresh ● GSS-API Support ● Keyboard “Break” Sequence Support ● X11 Forwarding “on” by default ● ARCfour, AES CTR mode Encryption Support ● /etc/default/login Synchronization ● SSH2 Rekeying, Service Side Keepalives, etc...
  13. 13. Auditing • Solaris Auditing > Updated to support output to SYSLOG Oct 29 01:52:56 lennox audit: [ID 225229 audit.notice] su ok session 3285174027 by root as root:root from lennox text success for user sys > Updated to support translation to XML (praudit -x) <record version="2" event="su" host="lennox" iso8601="2004-10-29 01:52:56.862 -04:00"> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="234" sid="3285174027" tid="0 0 lennox"/> <text>success for user sys</text> <return errval="success" retval="0"/> </record> • What do I need to know? > > > > SYSLOG is not a guaranteed protocol Subset of audited events can be sent via SYSLOG Using SYSLOG events can be sent off-host. Beta XML Audit Parser available (unsupported)
  14. 14. Access Management • Account Access > Users versus Roles >Leverage 'roles' for service and shared accounts! > Non-Login versus Locked Accounts >New passwd(1) options to manage > Account Lockout (Global or per-User) >“Three strikes” requires administrator to unlock. • File system Object Access > Unix Permissions and ACLs >Same as previous Solaris releases > New mount option - “noexec” >Useful for file systems containing only data.
  15. 15. User Rights Management • Decompose superuser into less powerful roles based on job requirements. • Assign rights to roles; and roles to users. • Audit user actions. • In Solaris 8, 9, 10 • In Trusted Solaris & Trusted Extensions • Centralized mgmt. S Rights R U U U R
  16. 16. User/Password Management • Password Complexity Checks > Login Name, White Space > Minimum Alpha, Non-Alpha, Upper, Lower, (Consecutive) Repeats, Special, Digits, etc. • Password History (0 – 26 passwords) • Banned Password List (Dictionary) • What do I need to understand? > Complexity checks apply to everyone - but 'root' > Password history is 'files' only. > Password aging is 'files', NIS+ and LDAP only.
  17. 17. Solaris Secure Execution • Verifies integrity of the executable portion of almost all applications, drivers, modules • Customers can sign their own or 3rd party applications – no changes needed • Manual verification in Solaris 10 03/05 > $ elfsign verify -e /usr/bin/login > elfsign: verification of /usr/bin/login passed. • Automatic run-time verification in update > User selectable rules for checking > Prevents modified or unsigned code from running > Customized systems can now be signed and secured
  18. 18. Solaris System Auditing • Audits all system events • Records actual userid and what role and application issued which system calls, command line or data access • Captures complete command line and environment variables for later analysis • Audit compliance is required by Common Criteria Controlled Access Protection Profile • Same audit system used in Solaris 8, 9, 10 > Solaris 9 & 10 offer XML output & selective filtering of system read-only activities > Solaris 10 offers syslog channel for audit logs
  19. 19. Who Needs more? The World is Changing!
  20. 20. What TX is NOT • It is NOT Trusted Solaris 8 ported to Solaris 10 > It will NOT run Trusted Solaris 8 applications • It is NOT a new operating system nor a new kernel > Works with all Solaris patches > Patches for TX added pkgs through normal patch site • It does not have additional “commercial” security features over and about standard Solaris • It is NOT limited to SPARC processors > Runs on SPARC, x86, x64 • Closed and proprietary
  21. 21. Multi-Level Labeled Security Trusted Extensions Adds labeled security to Solaris 10 Multi-level networking, printing Multi-level GUI Leverages User & Process RM Uses Containers Compatible with all Solaris apps Target of CAPP, RBACPP, LSPP @ EAL 4+
  22. 22. Trusted Extensions in a Nutshell • Every object has a label associated with it > Files, windows, printers, devices, network packets, network interfaces, processes, etc... • Accessing or sharing data is controlled by the objects' label relationship to each other > Lower label objects do not see higher label objects • Administrators utilize Roles for duty separation > Security admin, user admin, backup, restore, etc... • Programs/processes are granted privileges rather than full superuser access • Strong independent certification of security
  23. 23. Goals and Benefits • Runs all Solaris applications > It's still Solaris, with Containers > It's still Solaris, just with extended security policy > It's still Solaris, same kernel > It's still Solaris, all Solaris patches work • Runs all infrastructure software > Backup, Web, middle-ware, dev tools, etc. > Database, file systems, devices/drivers, etc. • Preserve and transition > CDE User interface, single and multi-level JDS/GNOME > Solaris Mgmt. Cnsle with LDAP naming service
  24. 24. What are Label-Aware Services? • Services which are trusted to protect multilevel information according to predefined policy • Trusted Extensions Label-aware service include: > Labeled Desktops > Labeled Printing > Labeled Networking > Labeled Filesystems > Label Configuration and Translation > System Management Tools > Device Allocation
  25. 25. Mandatory Access Control and Security Labels • Users cleared at multiple security levels can work on them simultaneously • Compartmentalization of information is possible with Security labels and MAC thus facilitating server virtualization Non-hierarchical Commercial Hierarchy Government Hierarchy Internet Exec Mgmt Top Secret VP & above Secret Directors Confidential All Employees Unclassified Trusted Extens. Music Net Inc. Online Daisy's Florists Solaris 10 or Trusted Extensions Trusted Extens.
  26. 26. Strong Enforcement!
  27. 27. Multilevel Architecture Need-toknow (local zone) Internal Use Public (local zone) (local zone) Multilevel Desktop Services (Global Zone) Solaris Kernel SPARC, x86 or x64 Hardware Local or Sun Ray display • Layered architecture implements: > mandatory access control > hierarchical labels > principle of least privilege > trusted path > role-based access
  28. 28. Trusted Extensions Implementation • Each zone has a label > Labels are implied by process zone IDs > Processes are isolated by label (and zone ID) > Files in a zone assume that zone's label • Global zone is unique > Parent of all other zones > Exempt from all labeling policies >No user processes—just TCB >Trusted path attribute is applied implicitly > Provides services to other zones • Common naming service to all zones
  29. 29. Filesystem MAC policies • Labels derived from a filesystem owner's label • Mount policy is always enforced > No reading-up > Read-write mounts require label equality in labeled zones > Reading-down > Read-only mounts require dominance by client > Can be restricted via zone's limit set and network label range > Writing-up > Cannot write-up to regular files > Limited write-up to label-aware services (via TCP and doors) > Writing-down > Restricted to privileged label-aware global zone services
  30. 30. NFS Support for Zones • NFS clients: > Each zone has its own automounter > Kernel enforces MAC policy for NFS mounts • NFS servers: > Global zone administrators a share table per zone > Kernel enforces MAC policy for NFS requests • The global zone administrator can export filesystems from labeled zones > Each export must be a single-level filesystem > Zone's label automatically applied to each export
  31. 31. Networking: Option 1: Per-Zone IP addresses Need-toknow Internal Use Public Multilevel Desktop Services (Global Zone) Solaris Kernel • Each zone has a unique IP address • Network Interface may be virtualized to share a single hardware NIC or use multiple NICs
  32. 32. Option 2: All-Zone IP addresses Need-toknow Internal Use Public Multilevel Desktop Services (Global Zone) Solaris Kernel • All zones share a single address • Shared network Interface may be physical or logical • Both per-zone and all-zone assignment strategies can be used concurrently
  33. 33. Multi-Level Desktop • Trusted CDE standard > Similar to Trusted Solaris 8 > Included in initial Common Criteria Evaluation • Java Desktop System (GNOME) > Single Level desktop >Full accessibility requirements >More modern look-and-feel to customers > Multi-level desktop >Included in initial release >Test as part of the Common Criteria LSPP
  34. 34. Multilevel Session ● ● An authorized user can work at multiple sessions concurrently. The user can be authorized to do cut-and-paste operations.
  35. 35. Security Policy Enforced ● ● System queries for upgrade/downgrade of information Seeing data isn't enough to allow you to change or move it
  36. 36. Trusted Java Desktop System
  37. 37. Trusted Java Desktop System Details Workplace switcher Task switcher Trusted stripe and Trusted Path menu
  38. 38. Trusted Extensions Privileges file_downgrade_sl file_upgrade_sl net_bindmlp port net_mac_aware read-down sys_trans_label dominated labels win_colormap pseudo-colors win_config defaults win_dac_read X resources win_dac_write user's X resources win_devices pointer policies win_dga win_downgrade_sl X resources win_fontpath win_mac_read X resources win_mac_write resources win_selection selection manager win_upgrade_sl resources file downgrade label file upgrade label bind to a multilevel required for NFS translate nonload custom set X server read another user's modify another set keyboard and write to framebuffer downgrade label of install custom fonts read hon-dominated modify dominated X bypass trusted upgrade label of X The privilege limit set for zones will be configurable Any of these privileges may be assigned to zones
  39. 39. Benefits of Trusted Extensions • Leveraging Solaris functionality: > Process & User Rights Management, auditing, zones > Make use of existing Solaris kernel enhancements • Elimination of patch redundancy: > All Solaris patches apply, hence available sooner > No lag in hardware platform availability • Extend Solaris Application Guarantee • Full hardware and software support > File systems (UFS, VxFS, ZFS, SAM-FS, QFS, etc.) > Processors (SPARC, x86, AMD64) > Infrastructure (Cluster, Grid, Directory, etc.)
  40. 40. Benefits? Assurance + Mainstream Unix
  41. 41. What is Common Criteria EAL? ● CC Evaluation Assurance Levels (EAL) ● ● ● ● ● ● ● ● EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 Functionally Tested Structurally Tested Methodically Tested and Verified Methodically Designed, Tested and Verified Semi-formally Designed and Tested Semi-formally Verified Design and Tested Formally Verified Design and Tested These are used to measure how well a protection profile has been tested
  42. 42. Common Criteria Certifications • Targets include : SPARC, x86/x64 based systems, full networking, LDAP naming service, full GUI • Solaris 10 3/05: > CAPP, RBACPP @ EAL 4+ > Completed in December 2006 • Solaris 10 11/06: > CAPP, RBACPP, LSPP @ EAL 4+ > Officially “In evaluation” as of June 2006 > Expected to complete by Summer 2007 • US-based upcoming requirements > Basic, Single-Level Medium, Multilevel Medium
  43. 43. Some Common Customer Problems • Allowing access to the coalition network from the national network, but not vice versa • Erect a “Chinese wall” between investment and brokerage departments • Prevent accidental disclosure of confidential information • Data assurance – guarantee that a service does what it claims to do • Meeting privacy laws e.g. healthcare
  44. 44. A Smarter Solution!
  45. 45. Desktop consolidation - SNAP • Desktop consolidation > Permits access to those networks for which the user is cleared or do not need to know about > Denies transferring information from one network to the other, unless the user is authorised to upgrade or downgrade information > Provides concurrent access to different classifications • Based on configuration > Can be used to prevent accidental disclosure (relabeling requires confirmation) > Provides access to only those networks for which the user is cleared (Chinese wall)
  46. 46. Desktop Consolidation RDP (or other protocol) server Secure Net Apps 1,2,3 Secure Net Apps 1,2,3 Secure Net Apps 1,2,3 Secure Net Apps 1,2,3 RDP (or...) client on Sun Ray Session Server Office #1 Office #1 Office #1 Secure Net A-Z on One Terminal
  47. 47. Web-browsing • Allow web-access from one network to other networks, but not vice versa • This can be done using a firewall, a well-configured “regular” Solaris with a web proxy, or some variation on this theme • Using Trusted Extensions > in high-assurance environments to improve confidence > In any environment to provide additional controls (protect against misconfiguration)
  48. 48. Web-browsing • Label-configuration has the different networks “disjoint”, so TX will permit no communication between them Coalition Network 1 National network Coalition Network 2 Coalition Network 3
  49. 49. Web-publishing • In the same environment the customer wants to be able to publish documents to web-servers on the coalition networks C1 C2 NATIONAL NETWORK C3 TX
  50. 50. Web-publishing • Scripted (and thus easily updated) > Document retrieval > Document validation > Document publishing • Coded (but generic, so reusable) > The communication code in the global zone daemon > The relabeling and application invocation is scripted, so easily extended (but only by an admin, as it exists in the global zone which is inaccessible to “regular” users) • Work in progress (but will be built this fiscal year)
  51. 51. Desktop sessions > Users start an X server (e.g. Exceed) on their PC, > They use Secure Shell to log-in on the TX system > Once authenticated they get access to a text-based menu that allows them to select a “destination” host C1 C2 NATIONAL NETWORK C3 TX
  52. 52. TX as A Trusted Router
  53. 53. TX Trusted Router
  54. 54. Architecture Level 1 Browser CIPSO Port 80 Port 80 PUBLIC Port 80 Browser CIPSO INTERNAL Browser CIPSO NEEDTOKNOW Browser RESTRICTED CIPSO Proxy Server Port 8080 (Reverse) App Server Port 80 Proxy Filter gets client label from TX and adds to http header Servlets get label from http header using getHeader() RESTRICTED Zone Proxy Server listening on an MLP
  55. 55. Architecture Level 2 - HTML Client http JClientLabelFilter JFileLabelFilter Obtains remote connection label (direct or from http header) Obtains HTML file label WSDL JfilePEPFilter (XACML) JAX-RPC (Soap) PDPservice (XACML) JLabelhtml Static HTML File (NEEDTOKNOW) policy.xml
  56. 56. Architecture Level 2 - Tearline Client http JClientLabelFilter Obtains remote connection label XML File Apply XSLT to XML file, generates HTML JLabelxml (JAXP) XALAN XSLT File XSD File PEP Function (XCML) JAX-RPC PDPservice (XACML) WSDL
  57. 57. Under Development Web Service Example - [public]
  58. 58. Web Service Example - [confidential]
  59. 59. Web Service Example - [restricted] Note level of detail not available at [public]
  60. 60. Other Large Network Architectures
  61. 61. SIMA – Secure Delivery of eGovernment Services Mobile users SSL over IPSEC Wireless SSL over IPSEC Mobile phone SSL + VoIP over IPSEC Internet SSL SSL Personal Computer SSL over IPSEC SUN Rays Portal Server Sun eGov Applications Applications
  62. 62. Large Government Networks
  63. 63. Recap • Solaris with Trusted Extensions is > Just another configuration of Solaris 10 > But one which has some extra policy enforcement capabilities (and courtesy of these is being evaluated against stricter Common Criteria protection profiles) > Traditionally used as a desktop system, with Trusted CDE or Trusted JDS as a desktop environment > Equally usable for a “suspenders-and-a-belt” approach to servers in any environment > Where you can make a nice web proxy server, an application-access-controlling gateway, or a controlled publishing system (and much more) out of it...
  64. 64. Other References • Other articles, url's: > Desktop System Streamlines Analysis Work, SIGNAL, Henry S. Kenyon > USS Mt. Whitney exercise > JEDI page describing DoDIIS Trusted Workstation (DTW) > Super-Secure Systems Gain in Private Sector, Investor's Business Daily, 10/12/04; Donna Howell
  65. 65. References • Desktop System Streamlines Analysis Work, SIGNAL, Henry S. Kenyon • USS Mt. Whitney exercise • JEDI page describing DoDIIS Trusted Workstation (DTW) > > http://www.rl/tech/programs/afdi • Super-Secure Systems Gain in Private Sector, Investor's Business Daily, 10/12/04; Donna Howell
  66. 66. Related Information • Sun Security Home Page – • Solaris Patches & Finger Print Database – • Sun Security Coordination Team – • Sun BluePrints for Security – ● Developing a Security Policy ● Trust Modelling for Security Arch. Development ● Building Secure n-Tier Environments ● How Hackers Do It: Tricks, Tips and Techniques
  67. 67. Related Service Information • Sun Consulting Security Services – • Sun Education Security Services – • Sun Support Services > • Network and Security Products –
  68. 68.